“ Hackers Beware “ New Riders Publishing
326
use confusing letters or they used only one—for example, no passwords
containing the letter L or the letter o. This way, you would know that
confusing items were really numbers. Usually, letters were left out
because there were a lot more letters than numbers to choose from.
The second thing companies did was they added vowels in key spots, so
that the passwords were not dictionary words but were still
pronounceable, like gesabaltoo. This made a password easier to
remember because a user could at least sound it out. Another trick was to
take dictionary words and replace letters with numbers—for example,
ba1100n, where the letter l is replaced with one and o is replaced with
zero. These, however, were quickly discarded because it is fairly easy to
write a program that checks for these permutations.
Despite these innovations, users still wrote their passwords down,
because they had difficulty remembering them. Most companies
eventually gave up and allowed users to pick their own passwords. The
main concern was that users would use guessable passwords. Within a
short time period, everyone’s concerns came true when companies
realized that most users picked easy-to-guess passwords.
In response, companies issued password policies that all users had to
sign. These policies clearly stated that passwords must be hard to guess
and other details. In most companies, these policies had little impact on
the strength of passwords.
Finally, companies decided that if users were going to pick their own
passwords, there needed to be some way to automatically enforce the
password policy. This was done by utilizing third-party programs that
could be used to check a user’s password; if it did not adhere to the
policy, the program would force the user to change it. This improved the

strength of the password, but because they were harder to remember,
people started writing their passwords down again.
Future of Passwords
Today, most companies are either fighting the endless battle with users or
are using one-time passwords. One-time passwords can be expensive but
provide a nice alternative. With a one-time password, a user is given a
device that generates a new password at certain time intervals, usually
every minute. This device is keyed with the server, so that both devices
generate the same password at the same time. Now, when a user wants
to log on to the system, she looks at the display and types in the
password. This works nicely because a user has a different password each
time he logs on. Even if an attacker gets the password, it is only good for
one minute.


“ Hackers Beware “ New Riders Publishing
327
In addition to time-based, one-time passwords, there are devices that
support challenge response schemes. With these devices, the user
provides his user ID to the system, and the system responds with a
challenge. The user takes this challenge and enters it into the device. The
device then provides a response that the user enters as the password.
One issue with this scheme is that the device the user has to carry with
her must allow her to provide input to the device. This tends to make the
devices more expensive. A problem with both types of device is that they
are subject to getting lost or stolen. With these devices, users do not have
to remember passwords, but they do have to remember to keep the
device with them at all times. If you look around and see how often
people forget their badges, you can better understand the scope of the
problem.

Another technology that has been out for a while, but gets a lot of
resistance, is biometrics. Biometrics uses human features to uniquely
identify an individual. For example, everyone’s fingerprint is different, so
why not have a fingerprint reader at each machine to determine if the
user is really who he says he is? The following web site contains detailed
information on biometrics and how some of the techniques work:
The following are some of the common
biometrics that are being used:
• Fingerprint scan
• Hand scan
• Retinal scan
• Facial scan
• Voice scan
Each of these techniques has different reliability, costs, and risks
associated with it.
Some of the advantages of biometrics are that it requires nothing for the
user to remember, and the data is hard to forge. Both are key
requirements for good authentication systems. Biometrics are also with a
user at all times and are very difficult to lose.
One of the biggest complaints about biometrics is invasion of privacy.
Most people are very concerned about having their personal information
stored and archived on servers. A lot of people view this as the first step
toward large government databases, which would lead to no privacy. If
you think about it, it can be very scary. Think of a system where someone
can identify you anywhere and any time. Another concern is safety. Most
people are not comfortable with someone scanning their eye, especially
because this equipment has not been around long enough to know the
long-term effects. The last problem is cost. Currently, having each user
log on to the system with a password does not cost a lot of money. With



“ Hackers Beware “ New Riders Publishing
328
biometrics, a reader has to be attached to every single device that a user
could log on from. This means, if there are over 1,000 machines at a
company, every single machine, including machines that are at
employees’ homes that are used to log on remotely, must also have these
devices installed. As you can imagine, the price tag for implementing this
can easily exceed a million dollars for a mid-size company.
As with any system, currently most companies have decided that the
disadvantages outweigh the advantages and therefore are not using
biometrics. However, as passwords get easier and easier to crack, you
might see more and more companies looking towards biometrics as the
solution.


“ Hackers Beware “ New Riders Publishing
329
What Really Works: A Real Life Example
As you can see from looking at the history of passwords, most of
the things companies have implemented to protect passwords do
not work, which can lead to a high level of frustration for the
company and the end user. Based on the frustration factor, one of
the most common questions I get asked when I lecture on this
topic is, “What can we do, or what do you recommend to fix the
problem?” If I merely told you what I have found to work, you
might not believe me; so I will give some facts to back my
position.
When I headed up internal security for a fairly large company, one
of the problems was passwords. When I first started, we scanned

everyone’s passwords and were able to crack 80 percent of the
passwords in ten minutes and 95 percent of the passwords in
fewer than five hours. This was a huge security hole, so I put
together a password policy that clearly stated that all passwords
must contain at least one letter, one number, and one special
character and should not contain a word.
Two weeks later, I re-ran the password cracker and was able to
crack 78 percent of the passwords in ten minutes. As you will see
in the next section, password policies are important from a
corporate and legal standpoint, but in some cases have little affect
on the user. Next, I decided to send emails to users that
consistently had weak passwords to explain to them the problem
and asked them to pick a stronger password. We also sent them
directions on how to change their passwords and said that if they
needed any help, they could call us.
Again, we ran the password cracking program and were still able
to crack 77 percent of the passwords. As you can tell, we were not
making a lot of improvements. Then, we decided to post paper
messages on their monitors, so that we knew that they saw it.
Besides causing several people to pull me aside and curse and
verbally abuse me, it had no effect. Users became very upset
because they felt that we were becoming big brother and taking
too much control. If you enjoy being screamed at, this should be
top on your list.
Finally, I hit on somethin
g
that worked. I realized that most people

at the company did not understand or appreciate security. I
received permission from the CIO to have mandatory security

awareness sessions.


“ Hackers Beware “ New Riders Publishing
330
After the sessions, not only did users come up to me and explain
that they always thought security people were annoying, but now
they understood what a key role we play in the success of the
company. I even had the unthinkable happen: difficult users came
up to me and apolo
g
ized for
g
ivin
g
us a hard time and promised to
do their part. If that last sentence does not make a believer out of
you, the percentages will. After I gave the sessions to most of the
employees, we ran the cracking program again and only cracked
18 percent of the passwords in ten minutes.
If you decide to do hold security awareness sessions, here are
some tips to make them successful:
• Hold the session on a Thursday or Friday.
• Serve food.
• Have it during lunch or in the afternoon.
• Limit it to no more than two hours with questions.
• Make it interesting and involve the users.
I usually like to hold the sessions at noon on Friday and serve
pizza—what works even better is 2:30 on Friday and serve ice
cream. It is amazing what you can get people to sit through if you

g
ive them food. If you serve hot fud
g
e with the ice cream, you can
even get the CIO to show up!
I knew that user awareness sessions were a good thing to do, but
I did not realize the importance until after the sessions. Table 8.1
is a chart comparing the different methods of raising user
awareness.
Table 8.1. Methods of Raising User Awareness on Passwords
Method Passwords Cracked in
10 Minutes
Comments
Nothing 80% This is what I find at most companies.
Password policy 78% Even though there was not a huge
impact, a policy is still critical.
Email 77% Most users ignore email from security.
Post Message 77% Users become irate.
User awareness
sessions
18% Clearly the best strategy.
I am now a firm believer that the only way to have strong
passwords and
g
ood security is to have educated users. Don’t take
this the wron
g
way, but if you have user awareness sessions and it

does not improve your security, you did it wrong. Let the users fill

out feedback forms so that you know what areas you should
change the next time you give these sessions. Also, limit them to


“ Hackers Beware “ New Riders Publishing
331
around 30 people so that you can have good interaction. Even if
your security does not improve, you will be known companywide
as the cool dude that gives out ice cream, which isn’t a bad thing.
Password Management
Now that you have an understanding of the current problems, let’s look at
password management issues. Most companies require users to come up
with random passwords, but have no policies to support this requirement.
Let’s look at why you need passwords and corresponding policies and
what exactly I mean when I say you need strong passwords.
Why Do We Need Passwords?
The answer to this question might seem obvious, but believe it or not
there are a lot of people that think passwords are a nuisance and should
not be used. One common question users ask is “Why do we need
passwords? Don’t we trust everyone?” The answer to that question is
unfortunately “No, we do not trust everyone.”
Trust me, I have a long list of companies that had no passwords because
they trusted everyone. There is only one problem with the list, most of the
companies are no longer in business! Trust your friends and family, not
your employees.
Another argument for trusting employees is, “We trust them everyday by
giving them access to buildings and equipment, and they rarely steal
computers. What makes us think they would steal information?” The
answer to that is a little tricky. We trust users to a point. Most users
would not steal computers because it is not easily done, is fairly easy to

trace, and usually companies quickly realize the equipment is missing.
Computers also have an obvious value. On the other hand, it is hard to
tell if someone takes an unauthorized copy of a document home, and for
most people, putting a value on a document is difficult.
Based on the fact that it is hard to control access to electronic
information, passwords are very important, not only to protect individual
privacy but also to protect sensitive information and track who has access
to it. Therefore, passwords provide a nice mechanism to uniquely identify
individuals and only give them access to the information they need. Just
like most houses have keys so people can secure their belongings,
passwords provide the keys to protect corporate information.
Why Do You Need a Password Policy?
Even though password policies do not cause all users to have strong
passwords, they are still important. One of the problems with security is


“ Hackers Beware “ New Riders Publishing
332
that people are always looking for the silver bullet. They want one thing
that will fix all of their security issues. Security policies, and more specific
password policies, sometimes fall into this category. Administrators feel
that if they have a strong password policy, they will never have to worry
about weak passwords. That is far from the truth, but the policies are still
necessary. Whenever you are implementing a new security measure, it is
always important to have proper expectations. This way, you can tell how
successful it is.
Password policies are important for several reasons. First, it explains to
users what is expected of them and what the rules of the company are in
regard to passwords. Security professionals might take it for granted that
a strong password contains letters, numbers, and special characters and is

very hard to guess, but an average user probably does not know that. The
security policy lets users know what passwords should contain and why
passwords are important and gives hints for picking good passwords. If
you just send out a policy stating that all passwords must contain certain
letters and be hard to guess, most users will get frustrated and try to
work around it. If you explain to them why this is important and give
them hints, they are more likely to follow the policy.
Another key aspect of the policy is enforcement. On one hand, your policy
should state what action the company can take if a user does not follow
the policy. For example, failure to adhere to the policy can result in
termination of the employee. On the other hand, you do not want users to
take it as a threat, because they get very defensive. If you have not
figured it out, defensive users are very bad from a security standpoint. If
you tend to have a large number of defensive and irate users, you might
want to put a bulletproof vest in your security budget. (I actually did that
once; unfortunately, the budget was not approved, but I tried.)
You also want to make sure the policy can be consistently enforced. If the
policy states that any employee who does not follow the policy will have a
security violation put in her permanent record, this must be followed for
any employee that has a weak password. Too often, companies use strong
wording but only enforce the policy for some employees. In those cases,
the employees that did not follow it have a strong case against the
company. Consistency and precedence are key.
Having a strong password policy is also beneficial for legal reasons. If a
company wants to take a strong stance on security and be able to take
legal action against an individual, it needs clearly documented policies. For
example, let’s say that an attacker breaks into the company and
compromises a large amount of information because of an employee’s
weak password. To take action against the person with the weak
password, the company needs a clear password policy that everyone is

aware of and is signed and clearly enforced. Most users are not aware of


“ Hackers Beware “ New Riders Publishing
333
this point, or this liability. If your company has a clear policy on
passwords that it enforces and you (the employee) have a weak password
that an attacker uses to compromise the system, you could be in some
legal trouble.
What Is a Strong Password?
I keep talking about strong versus weak passwords, but what actually
constitutes a strong password? Before I tell you what I consider a strong
password, it is important to point out that the definition of a strong
password can change drastically based on the type of business a company
is in, its location, the people that work for the company, and so on. I
stress this because the information I provide for what constitutes a strong
password can change drastically based on your environment.
This definition also changes as technology increases. What was considered
a strong password five years ago is now considered a weak password. The
main reason for this change is the speed of computers. A state-of-the-art
computer system today is considerably faster and cheaper than what was
state-of-the-art five years ago. A password that took several years to
crack with the fastest computer five years ago can be cracked today in
under an hour. So, as technology changes and computers become faster
and cheaper, passwords must become stronger.
Based on current technology, the following characteristics identify what I
believe to be a strong password:
• Changes every 45 days.
• Minimum length of ten characters.
• Must contain at least one alpha, one number, and one special

character.
• Alpha, number, and special characters must be mixed up and not
appended to the end. For example, abdheus#7 is bad, but
fg#g3s^hs5gw is good.
• Cannot contain dictionary words.
• Cannot reuse the previous five passwords.
• Minimum password age of ten days.
• After five failed logon attempts, password is locked for several
hours.
As you read this, you probably can come up with arguments on why some
of the items are invalid, but the thing to remember is that there is no
perfect solution. When you come up with a password policy, tradeoffs
have to be made with the goal of finding the right mix that fits best with a
particular company (and its users).


“ Hackers Beware “ New Riders Publishing
334
How Do You Pick Strong Passwords?
Most users have weak passwords because they don’t know what
constitutes a strong password and therefore don’t know how to create
strong passwords for their accounts. I recommend educating users to use
phrases as their passwords instead of words. Picking a password that is
easy to remember, contains no dictionary words, and has numbers and
special characters is no easy task. Remembering a phrase, however, is
fairly easy; you simply use the first letter of each word as your password.
If I tell you that your password is WismtIs!@#$%5t, you would probably
say, “There is no way that I can remember that password!” But if I ask
you to remember the phrase, “When I stub my toe I say ‘!@#$%’ five
times,” you could probably remember it. Simply take the first letter of

each word in the phrase, and you have your password.
I tell most people to pick a phrase that relates to their family or personal
interests. You cannot use just a word that relates to family or personal
interests, because it would be too easy for an attacker to guess; but
because your are using phrases, it is okay to pick something related to
your family or personal interests. For example, you will never forget when
or where your child was born. So, one possible phrase is, “My 1
st
child was
born at Oakridge Hospital on 7/14.” Now my password would be
M1cwb@Oho7/14. That password would be extremely difficult for an
attacker to guess, even if he knows when and where your child was born,
because there are so many different combinations and phrases that you
can use.
I have found that educating users and explaining to them how to pick
phrases instead of words has a tremendous impact on the overall strength
of passwords for a corporation.
How Are Passwords Protected?
So far in this chapter, we have covered a lot about passwords from a
user’s perspective and things users can do to make their passwords
harder to crack. Basically, if a user has a weak or blank password, there is
no need to crack the password—an attacker would just guess it. In cases
where a password cannot be easily guessed, an attacker has to crack the
password. To do this, he must know how passwords are stored on the
system.
Let’s look at it from a system perspective. What does the system do to
keep passwords secure? Basically, any password stored on a system must
be protected from unauthorized disclosure, unauthorized modification, and
unauthorized removal.



“ Hackers Beware “ New Riders Publishing
335
Unauthorized disclosure plays a key role in password security. If an
attacker can obtain a copy of your password and read it, he can gain
access to the system. This is why it is important that users do not write
down their passwords or reveal them to co-workers. If an attacker can
obtain a copy of a user’s password, he can become that user, and
everything the attacker does could be traced back to that user.
Unauthorized modification is important, because even if an attacker
cannot read your password, he still might be able to modify it by
overwriting the password with a word that he knows. This, in essence,
changes your password to a value that the attacker knows, and he can do
this without knowing the user’s actual password.
This has been a problem with various operating systems. In early versions
of UNIX, there were attacks where an attacker could not read someone’s
password, but would just overwrite the encrypted password with an
encrypted password that the attacker knew. On early UNIX systems, the
user IDs and passwords were stored in a readable text file called
/etc/passwd. An attacker would create an account and give it a password
that he knew. He would then try to gain writable access to /etc/passwd
and if he could, he would copy the encrypted password of the account he
just set up and overwrite the encrypted password of root. Then he could
log in as root, without ever knowing the original password of root.
A similar modification attack is available with Windows NT. There is a
program called LinNT, which creates a Linux bootable floppy for NT. An
attacker could boot off the floppy, which would boot the system into
Linux. This allows the attacker to list the user accounts on the NT system
and overwrite any of the passwords with a password he chooses. This
allows an attacker to perform an unauthorized modification of a password,

without ever knowing the user’s original password.
Unauthorized removal is also important because if an attacker can delete
an account, he can either cause a Denial of Service attack or recreate the
account with a password of his choosing. Denial of Service attacks are a
class of attacks where the goal is to deny legitimate users access to the
system. For example, if over the weekend I broke into your system and
deleted every user account, I would cause a Denial of Service attack
because when everyone came in on Monday, they could not log on to the
system and they would be denied access. Chapter 6, “Denial of Service
Attacks,” covers these attacks in detail.
To protect passwords from unauthorized disclosure, modification, and
removal, passwords cannot be stored in plain text on the system. Think
about this for a minute. If there is a text file on the system that contains
all of the passwords, it would be trivial for someone to just read the file
and get everyone’s password. To defeat this, there needs to be a more


“ Hackers Beware “ New Riders Publishing
336
secure way to store passwords on a system, and the solution is
encryption. Encryption basically hides the original content, so if someone
gets the encrypted password, he cannot determine what the original or
plaintext password is.
Encryption
To understand why encryption is the solution, you need to understand
what encryption is and how it works from a high level. This is not meant
to be a complete explanation or description of encryption. Entire books
have been written on encryption that cover this material in more depth.
For a detailed description of encryption, I highly recommend the book
Applied Cryptography by Bruce Schneier. This section is meant to give you

enough information to better understand password cracking. In essence, it
gives you enough information to be dangerous.
In its most basic form, encryption is the process of converting plain text
into ciphertext, with the goal of making it unreadable. In this context,
plain text is the original message or readable password, and ciphertext is
the encrypted or unreadable version. For our purpose, encryption is
garbled text. To give you an example, the following is a plain text
message:

This is a plaintext message.Here is the corresponding message
encrypted with
Pretty Good Protection (PGP):

qANQR1DBwU4DoGKRq+lZHbYQB/0dgBvp6axtoP9zu2A6yB964CJcqZ5Ci9NlW/
6B
pBU3qitff/M9IldSoNtFuMcQMvxK5c7R4+qmPM7pgsXaRYEBjuA9cDEI2qp4bO
hl
kJRaM/cCRLBWdBP8UUocfRk3jHxg6cwy9QwVVwCZ7LL+6rQT9kohdbAlVENY/X
nL
9wP4QcJ3k1yjznxB0t9yF1Dnshpzvs0HcdxK3CTl9Ulk8n+Sw0J+MV0EoV3uqb
Ra
Cuyo5Z3zZeyGttfYaDBXBIPq6qouNIaxz+9cRtA7y5jNfLPdYmPzrwVsz0IGfM
zA
1Bf3ByMieQt/QSdMFhkihI89AT2qVSeyosIgWpCXFaB468bXCADtN7h6BWaCNE
V0
hSsJo6O9uv8v1OlKfXBpdnXvsMZxrA4yTATfO3xnxmRp4kXMlmPElPxSzBId2V
qr
IJZ/HZfxbyWKZG5UQuG62228xDPWhYQBeKvyACUXzguHgddTO3+XYFxWgUdV8m
Ni
4twA2hdapuAUZSyuIsnGa0yhpXFQzEUrYwKV/hxL4cUkzxVzr9Hf9qTbVd/TrF

qF
0wrbFvb2m65i++H2w73w3PlnKvKNiPyJ8iFsLLXyfZgmOtF6QYaeBqBIp31Hd3
s+


“ Hackers Beware “ New Riders Publishing
337
GAqJxs07jxm+ba+slJgLzZDJpc/hyn6dpjyD0Ww6myfGaZuN4a6W3JIr8xlBlO
/e
+saFwexnyTNwySfcL6sOQQN3Rs0ucws3ORJKlEqxJnfcXwfoSILZYFwZ2ucrTZ
MS
hEnBTMCuW
As you can see, the encrypted message is very hard to read. Notice that
the size of the encrypted message is considerably longer than the original
plain text message.
Now that you know what encryption is, let’s look at the different types of
encryption. There are basically three types of encryption:
• Symmetric or single key encryption
• Asymmetric or two key encryption
• Hash or no key encryption
Symmetric Encryption
Symmetric encryption uses a single key to both encrypt and decrypt the
text. If I encrypt a message and want you to be able to decrypt it, you
have to have the same key that I used to encrypt it. This is similar to a
typical lock on a door. If I lock the door with a key, you must have either
the same key or a copy to unlock the door. The advantage of symmetric
encryption is that it is very fast. The disadvantage is that you need a
secure way to exchange the key prior to communicating.
Asymmetric Encryption
Asymmetric encryption overcomes the shortfalls of symmetric encryption

by using two keys: a public and a private key. The private key is known
only by the owner and is not shared with anyone else. The public key is
given to anyone that would possibly want to communicate with you. The
keys are set up so that they are the inverse of each other. Anything
encrypted with your public key can only be decrypted with your private
key, so this arrangement works out nicely. Someone who wants to send
you a message encrypts it with your public key, and only the person with
the private key can decrypt it and use it. The advantage of public key
encryption is that you do not need a secure way to exchange the keys
prior to communication. The disadvantage is that it is very slow.
For secure communications, most systems combine symmetric and
asymmetric encryption to get the best of both worlds. You use asymmetric
encryption to initiate the session and to exchange a session key. Because
the session key is encrypted with public keys and decrypted with private
keys, it can be sent in a secure fashion. After it is exchanged, the session
key is used with symmetric encryption for the remainder of the session,
because it is much quicker.


“ Hackers Beware “ New Riders Publishing
338
Hash Functions
Hash functions are considered one-way functions because they perform a
one-way transformation of the information that is irreversible. Given an
input string, the hash function produces a fixed length output string, and
from the output string, there is no way to determine the original input
string.
Looking at the preceding options, a hash function seems like the best way
to store a password on a system because there is no key to worry about.
Also, because it is irreversible, there is no way to get the original

password. You are probably thinking, “If it is irreversible, how do you ever
get back the original password so that you can verify someone’s password
each time he logs on?” The answer is simple. Each time a user logs on to
the system and types her password, the system takes the plain text
password she enters, computes the hash, and compares it with the stored
hash. If they are the same, the user entered the correct password. If they
are not the same, the user entered the wrong password.
There is one possible limitation to hash functions, which is a by-product of
how hash functions work. To use hashes to verify a user’s password, two
passwords that are the same will hash to the same value. The weakness
behind using hash functions is that if I have a password of pass1234 and
you have a password of pass1234, we both have the same encrypted
passwords. This enables a password cracker to crack both of our
passwords at the same time, speeding up the process. To overcome this,
a salt is often combined with a password before running it through the
hash function.
The sole purpose of a salt is to randomize a password. By using a salt, two
users with the same password will have different encrypted passwords. A
salt is a random number that is combined with a password before it is run
through the hash function. The salt is then stored with the encrypted
password. Because the salt is random, two users do not have the same
salt. So even if the passwords are the same, because the salts are
different, two users will never have the same encrypted password.
Now that you know what a salt is, let’s discuss what occurs when a user
tries to authenticate to a server. The user enters her password. Based on
the user account, the system looks up the user and finds her salt and
encrypted password. The system takes the password that the user
entered, combines it with the salt, and runs it through the hash function.
The system then takes the output and compares it to the stored encrypted
string. If there is a match, the user is given access. If there is not a

match, the user is denied access


“ Hackers Beware “ New Riders Publishing
339
Password Attacks
Now that we have covered the foundation of passwords, let’s look at what
password cracking is and the different types of attacks. In this section, we
will compare password guessing and password cracking. We will also look
at schemes like password lockout, which most companies use to increase
their security, and show how it can actually allow an attacker to launch a
Denial of Service attack against a company.
What Is Password Cracking?
Let’s delve into password cracking and what it entails. In its simplest
sense, password cracking is guessing someone’s plain text password when
you only have the encrypted password. There are a couple of ways this
can be accomplished. The first is a manual method, where an attacker
tries to guess a password and type it in. To accomplish this, you need to
know a user ID and have access to a logon prompt for the network you
are trying to get into. In most cases, this information is easy to acquire
because most user IDs are comprised of a first initial and last name. Also,
most companies have dialup connections to their network, and by using a
war dialer you can identify the modem lines.
The following is the general algorithm that is used for manual password
cracking:
1. Find a valid user ID.
2. Create a list of possible passwords.
3. Rank the passwords from high probability to low.
4. Type in each password.
5. If the system allows you in—success!

6. If not, try again, being careful not to exceed password lockout (the
number of times you can guess a wrong password before the
system shuts down and won’t let you try any more).
In terms of complexity, this is easy to accomplish but very time-
consuming, because an attacker would have type in every password. If
the attacker does not have any idea of someone’s password, this does not
really pay off because most companies have account lockouts set for their
accounts. Account lockout is a setting that locks the account after a
predefined number of failed logon attempts. A typical setting is after five
failed logon attempts within two hours, the account is locked for three
hours. Locking a password account disables the account so that it is not
active and cannot be used to gain access to the system.
Some companies have a permanent lockout. After five failed logon
attempts within two hours, the account is permanently disabled until it is
reactivated by an administrator. This can be advantageous. If someone is


“ Hackers Beware “ New Riders Publishing
340
trying to break into an account, an administrator will discover it because
he will have to unlock the account. With the other method, because the
account resets after a certain amount of time, the administrator might
never know the account was locked. Knowing that an account has been
locked is a good indicator of an attack that failed. If you wait until the
attacker is successful, the chances of detecting him are extremely low.
One problem with permanent lockout is that it can be used to cause a
Denial of Service attack against a company. For example, if an attacker
wants to lock all of your users out of the system, he can try to log on to
each account, trying five passwords. If they are right, he gains access; if
they are wrong, all users are locked out of the system. In this type of

attack, the attacker wins by either gaining access or disrupting service. I
know some companies that have caused Denial of Service attacks against
themselves (see the following sidebar).
Fortunately, with most operating systems, you can never permanently
lock out the administrator account. Even with a high number of failed
logon attempts, the administrator can still log on locally to the computer.
This might seem like a security risk, but it is important that someone can
always get back into the machine.


“ Hackers Beware “ New Riders Publishing
341
Beware of Vulnerability Scanners
One of my clients attempted to identify security holes by using a
vulnerability scanner. A vulnerability scanner is a pro
g
ram that you
run against a system, and it gives you a listing of all the
vulnerabilities that need to be fixed. Vulnerability scanners often
look deceivingly simple to run but have hidden complexities.
This particular client found a product that looked simple to use,
purchased a copy, and ran it late on a Friday afternoon. Everythin
g
seemed to work fine, so everyone went home for the weekend.
Monday morning, a large number of users were complaining that
they could not log on to the system. Believing they were either
under attack or had been attacked over the weekend, the client
gave me a call.
After investigating, we noticed that the setting on their accounts
was to permanently lock all accounts after five failed logon

attempts in four hours and that all of the accounts were locked. At
first, I thought someone launched a Denial of Service attack
against them. I was partially right—they launched a Denial of
Service attack a
g
ainst themselves. Lookin
g
at the lo
g
s, we realized

that all accounts were locked at the same time and that this time
correlated very closely with when they ran the vulnerability
scanner.
The vulnerability scanner they used had an option to brute force
attack passwords. This is where the scanner goes in and tries to
manually guess the password for each account. For this particular
vulnerability scanner, there were six different passwords it tried for
every account. As you can imagine, this program systematically
went in and locked every single password. So, if you decide to use
account lockout be very careful.
The second way to perform password cracking is automated, where you
obtain a copy of the encrypted passwords and try to crack them offline.
This requires a little more effort because you have to acquire a copy of the
encrypted passwords, which usually means that you need to have access
to the system.
After you have the password file, this method is extremely quick and hard
to detect, because it is an offline attack. The quickness comes from using
a program that goes through a list of words to see if there is a match,
which allows you to crack multiple passwords simultaneously. For

example, you take a list of words and, for each word, you compute the
hash of the password and run through each account to see if there is a


“ Hackers Beware “ New Riders Publishing
342
match. You continue this for each word in the list, until every password is
cracked. If ten people have the same password, you have cracked all ten
passwords at the same time, unless a salt is being used.
For these reasons, most people use automated methods. Also, to check
the strength of passwords on your own system, using an automated
method is more effective from a time and resource standpoint. The
following is the general algorithm used for automated password cracking:
1. Find valid user IDs.
2. Find the encryption algorithm used.
3. Obtain encrypted passwords.
4. Create a list of possible passwords.
5. Encrypt each word.
6. See if there is a match for each user ID.
7. Repeat steps 1 through 6.
Looking at this, you might think that step 2, finding the encryption
algorithm, would be difficult, but it is based on the philosophy of
encryption algorithms. The security of an encryption algorithm is based on
the key that is used and not on the secrecy of the algorithm. Because
there is no way to prove whether an encryption algorithm is secure, the
closest you can get to proving it is secure is to give it to a bunch of smart
people; if they cannot break it, you assume it is secure. Therefore, for
almost all operating systems, the encryption algorithm that is used is
available and can be obtained easily.
Why Is Password Cracking Important?

From a security standpoint, password cracking can help you build and
maintain a more secure system. The following are some of the reasons
why password cracking is useful:
• To audit the strength of passwords
• To recover forgotten/unknown passwords
• To migrate users
• To use as a checks and balance system
The most important benefit of password cracking is to audit the strength
of passwords. An administrator can create password policies and put
mechanisms in place to force users to have strong passwords, but I have
found they are never 100 percent, and people can always find ways
around them.
For example, I know of a company that required users to have eight-
character passwords, not reuse the last five passwords, and change
passwords every 60 days. The administrator overheard people saying that


“ Hackers Beware “ New Riders Publishing
343
they had the same password for the last six months. After further
investigation, they realized that users were changing their passwords to
new passwords, immediately changing the passwords five times to
overcome the restriction, finally changing them back to the old passwords.
In other words, users figured out how to bypass the security restrictions.
The administrator fixed this by having a minimum password age of ten
days. Because users will actively try to have weak passwords, the only
true way to know the strength of a password is to see how long it takes to
crack it.
Password cracking also lets you track your difficult users over time. If over
the last six months, the same users are always having their password

cracked in less than five minutes, you might want to spend some time
educating those users. One major drawback to cracking passwords for
auditing is that there is a file on your system that contains the plaintext
password of every user. Also, there is a least one person (the security
administrator) who knows everyone’s password. Based on this, there are
some people who shy away from password cracking.
In my opinion, you have to weigh the strengths and weaknesses. The
weakness is that knowing everyone’s password could lead to compromise.
In my opinion, because the security administrator usually knows and has
root/domain administrator access to most systems, knowing the
passwords is not a threat. If you cannot trust your security administrator,
who can you trust (some pun intended)?
Auditing the Strength of Passwords
There are ways you can use password cracking programs to audit the
strength of passwords without knowing users’ passwords. It takes a little
creativity, but it works. Let’s assume that your password policy states that
all passwords must contain letters, numbers, and special characters. If
you run the password cracker with the following options, which will set the
cracker to “brute force,” or guess and keep guessing, passwords until it
finds all the ones that meet the following criteria, you can determine if
users are following your policy, without cracking their passwords:
• Brute force passwords that contain only letters.
• Brute force passwords that contain only numbers.
• Brute force passwords that contain only special characters.
• Brute force passwords that contain only letters and numbers.
• Brute force passwords that contain only letters and special
characters.
• Brute force passwords that contain only special characters and
numbers.



“ Hackers Beware “ New Riders Publishing
344
For more information about using brute force on passwords, see the
“Brute Force Attack” section later in this chapter. Using this technique, if a
password is cracked, it means the password did not follow the policy and
would have to be changed. If a user did follow the policy, her password
would not be cracked, and there is less of a security risk.
Another way around having an analyst know all the users’ passwords is to
break up responsibilities so that only certain security personnel know
certain information. Also, the cracked file should never reside on a server
in plain text. It should always be reencrypted and stored in a safe place,
possibly even on a floppy or Zip disk and locked away in a safe.
The benefit of password cracking is that you get a clear picture of the
security of passwords and what needs to be fixed. In my opinion, the
strengths outweigh the weaknesses, but it is a decision that you have to
make for your company.
Recovering Forgotten/Unknown Passwords
I frequently receive calls where a client needs to know how to get into a
machine because the administrator is either on vacation or left on bad
terms. As you have seen in this chapter, because most passwords are
weak, even the administrator password can be cracked in a relatively
short period of time. By extracting the password hashes and cracking the
passwords, you can gain access to a system.
To avoid these kinds of problems, it is important to have a master list of
administrator passwords for systems, secured and locked away
somewhere in case of an emergency. Again, even though some people
view this as a risk or a security violation, if it is controlled properly, it can
be well worth it, especially in a crisis.
Migrating Users

Being able to crack passwords so that you can seamlessly migrate users
from one system to another is usually a very bad idea. I do not
recommend it, but I include it for completeness because I’ve seen so
many companies use password cracking for this purpose.
In some cases, companies switch operating systems or change their
domain structure and have to migrate users from one system to another.
One way to migrate users is to move accounts, give users a default
password, and have them change it the next time they log on. Most
administrators shy away from this for two reasons. First, because every
user temporarily would have the same password, people could log on to
each other’s account and cause problems. Second, whenever you have a
large number of users change their passwords at the same time, the


“ Hackers Beware “ New Riders Publishing
345
potential increases for users to make mistakes or not be able to
successfully change their passwords.
For these reasons, when administrators move user accounts, they would
like a way to keep everyone’s password the same. One way to do this is to
crack everyone’s password, create new accounts on the system, and type
in everyone’s new password.
In this situation, I believe the weaknesses outweigh the strengths, which
is why I don’t recommend it. There is one level of risk to cracking
passwords to audit their strength. There is a whole other risk to cracking
passwords, creating lists, and using them to create new accounts. In my
experience, whenever I have seen a company try to accomplish this, it
always backfires and causes problems.
All Mistakes Are Big Mistakes
Company X was mi

g
ratin
g
from multiple NT domains to a sin
g
le NT

domain and needed to migrate more than 1,200 user accounts.
The help desk had grave concerns about all of these users logging
on with default passwords and then changing their passwords on
the same morning. So, the company cracked everyone’s password
and created a list that contained everyone’s user ID and their
password and gave it to 12 people. Each person had to change
100 passwords. One of the people that was changing the
passwords thought it would be very helpful and kept a copy for his
records. Shortly after the migration, this person was let go and no
one thought anything of it.
Three months later, I was hired by the company to perform a
security assessment, because they were having a lot of issues. As
part of my assessment, I searched on various hacker newsgroups
to see if there was any information on this company. After some
searching, I found a copy of the password list. Evidently, the
person who made a copy of the passwords posted it to various
newsgroups and now everyone had a copy of the password file.
More than 85 percent of the passwords were still valid.
In this example, the company could have been more careful, but
the bottom line is that mistakes get made, and in this game,
mistakes are very costly.
Checks and Balances
From a checks and balances standpoint, you can run a password cracker

to check the strengths of passwords without ever cracking the passwords.


“ Hackers Beware “ New Riders Publishing
346
For example, in most companies, there are separate administrators who
are responsible for certain machines. In these cases, you might not want
the security administrator to know the password for every machine
because the risk factor is too high. The security administrator can still
audit the strength of the passwords without knowing what they are. This
is similar to the example that was given in the Auditing the Strength of
Passwords section earlier.
Types of Password Attacks
If an attacker can guess or determine a user’s password, he can gain
access to a machine or network and have full access to any resources that
user has access to. This can be extremely detrimental if the user has
special access such as domain administrator or root privileges.
One of the most common ways of obtaining a password is by cracking it.
This involves getting the encrypted version of the password and, based on
the system that it was extracted from, determine the encryption that was
used. Then by using one of the methods listed below, an attacker can take
a plain text password, encrypt it, and see if there is a match. The
following are three main types of password cracking attacks:
• Dictionary attacks
• Brute force attacks
• Hybrid attacks
Dictionary Attack
Because most people use common dictionary words as passwords,
launching a dictionary attack is usually a good start. A dictionary attack
takes a file that contains most of the words that would be contained in a

dictionary and uses those words to guess a user’s password. Why bother
going through every combination of letters if you can guess 70 percent of
the passwords on a system by just using a dictionary of 10,000 words? On
most systems, a dictionary attack can be completed in a short period of
time compared to trying every possible letter combination.
Another nice thing about using a dictionary attack to test the security of
your system is that you can customize it for your company or users. If
there is a word that a lot of people use in your line of work, you can add it
to the dictionary. If there are a lot of sports fans that work at your
company, you can append a sports dictionary to your core dictionary.
There are a large number of precompiled dictionaries available on the
Internet, including foreign language dictionaries and dictionaries for
certain types of companies.


“ Hackers Beware “ New Riders Publishing
347
In most cases, when I perform a security assessment, I can crack most of
the passwords using a straight dictionary attack. I usually like to walk
around the office space and look in people’s offices to get a better idea of
their interests and hobbies. Based on what I find, I update the dictionary.
For example, in one company, I was performing an assessment where I
was authorized to crack passwords. I noticed that a lot of people liked one
of the local sports teams and were big fans of the upcoming Olympics. I
did a little research and added terms relating to the local team, its
mascot, and the names of the all-stars. I did the same thing for the
Olympics. Over 75 percent of the passwords were cracked with a
dictionary attack. What makes this so interesting is that 35 percent of the
passwords that were cracked were derived from the new terms that I
added.

By carefully understanding an environment, your chances of successfully
cracking a password increase. From a security standpoint, it is so
important to urge users not to pick passwords that can be easily derived
from their surroundings.
Brute Force Attack
A lot of people think that if you pick a long enough password or if you use
a strong enough encryption scheme, you can have a password that is
unbreakable. The truth is that all passwords are breakable; it is just a
matter of how long it takes to break or crack it. For example, it might take
200 years to crack a high-grade encryption, but the bottom line is that it
is breakable, and the time to break it decreases every day as computer
speeds increase. A password ten years ago that would take 100 years to
crack can be cracked in under a week today. If you have a fast enough
computer that can try every possible combination of letters, numbers, and
special characters, you will eventually crack a password. This type of
password cracking is known as a brute force attack.
With a brute force attack, you start with the letter a and try aa, ab, ac,
and so on; then you try aaa, aab, aac, and so on. I think you get the
point.
It’s important to note that with brute force attacks, some administrators
unknowingly do some things that make it easier to crack a password. One
of these things is minimal length passwords. If an attacker knows that the
minimum length for a password is six characters, the brute force attacks
can start with aaaaaa and go from there. Why try all possible one-, two-,
three-, four-, and five-character passwords when an attacker knows that
they are not allowed on the system?


“ Hackers Beware “ New Riders Publishing
348

On the other hand, an administrator has to determine which is the greater
risk— having a minimum length password and possibly making the
attacker’s job a little easier or having no minimum length but allowing
users to pick any length password they want. In this case, if users pick
four-character passwords, this presents a greater risk to the system. I
have found that it is better to have passwords be a minimum length,
because otherwise users will pick short passwords and you will be even
worse off.
With a brute force attack, it is basically a battle between the speed of the
CPU and the time it takes to crack a password. Current desktop computers
that are on most desks rival the high-end servers that most companies
had ten years ago. This means that as memory becomes cheaper and
processors become faster, things that used to take a long time to
accomplish can be done in a very short period of time.
Another important thing to point out is distributed attacks. If an attacker
wants to crack passwords in a short period of time, he does not
necessarily have to buy a large number of expensive computers. He could
break into several other sites that have large computers and use those to
crack your company’s passwords.
Taking all of these possibilities into consideration, in the next couple of
years, companies that want strong security will have to rely on operating
system vendors to put better encryption and password protection into
their systems, use one-time passwords for authentication, or use other
forms of authentication like biometrics.
Here is a general rule of thumb I like to follow: The password change
interval should be less than the time it would take to brute force a
password. This way, even if someone can brute force a password, by the
time he accomplishes the attack, the password has been changed. For
example, if I can brute force your password in 60 days, your password
change policy should be 45 days. Unfortunately, not only do most

companies not follow this rule, they take it to the other extreme. Most
companies I have seen can have their passwords cracked in less than five
days, yet their password change interval is more than nine months. In
these cases, even if it takes an attacker three months to crack the
password, he has six months of access. With the current state of
passwords and security, having a change interval less than 90 days is
unacceptable.
It is important to note that there are pros and cons to any decision.
Initially, if you alter the password change interval for your company from
12 months to 60 days, you are going to have potential issues, ranging
from disgruntled employees to the help desk getting overloaded with
requests to people writing down their passwords. In these cases, you


“ Hackers Beware “ New Riders Publishing
349
might be better off slowly decreasing your password policy. Go from 12
months to 11 months, then 10 months, and slowly wean users into the
new policy.
Also, make sure you inform users of what is occurring. The biggest
drawback you have to decreasing the password change interval is that,
because their passwords change so often, users will feel that the only way
they can remember their passwords is to write them down. This is where
training and user awareness come in.
Hybrid Attack
Dictionary attacks find only dictionary words but are quick, and brute
force attacks find any password but take a long time. Unfortunately, as
most administrators crack down on passwords and require users to have
letters and numbers, what do most people do? They just add a couple of
digits to the end of a password—for example, my password goes from

ericgolf to ericgolf55. By doing this, you get a false sense of security
because an attacker would have to do a brute force attack, which would
take a while, yet the password is weak. In these cases, there is an attack
that takes dictionary words but concatenates a couple of letters or
numbers to the end—the hybrid attack. The hybrid attack takes your
dictionary word and adds a couple of characters to the end. Basically, it
sits between the dictionary and the brute force attack.
Table 8.2 shows the relationship between the different types of attacks.
Table 8.2. Comparison of the Types of Password Attacks
Dictionary
attack
Brute Force attack Hybrid attack
Speed of the attack Fast Slow Medium
Amount of
passwords cracked
Finds only
words.
Finds every
password.
Finds only passwords that have a
dictionary word as the base.
Other Types of Password Attacks
The focus of this chapter has been on password cracking, because that is
the main security threat posed to most companies. The key to remember
is that an attacker will take the path of least resistance, to acquire the
information that he is after.
For example, if I want to secure my house, one way to accomplish this is
to heavily secure the front of my house. I put bars on the front windows
and have a big steel door with a guard dog chained to the lamppost. From
most perspectives, this is fairly secure. Unfortunately, if you walk around

to the back of the house, the back door is wide open and anybody can
walk in.


“ Hackers Beware “ New Riders Publishing
350
This might seem bizarre, yet this is how most companies have their
security set up. They concentrate all of their efforts in one area and forget
about everything else. This is true for password security. Even though the
main threat is password cracking, if your passwords are very secure and
cannot be cracked, someone can still compromise your passwords.
Following are some of the other methods for compromising your
passwords:
• Social engineering
• Shoulder surfing
• Dumpster diving
Social Engineering
In most companies, if you trust someone, you give them access to
privileged information. In the digital world we live in, you give someone a
user ID and password so that someone can access sensitive information.
In most cases, this means employees and trusted contractors get access
and no one else.
But what if an attacker convinces someone at your company that he is a
trusted entity? He can then obtain an account on your system. It’s the
essence of social engineering—deceiving people to give you information
you should not have access to because they think you are someone else.
If you, as a help desk administrator, think I am an employee of the
company and all employees need accounts on the system, you would give
me an account. This technique seems very simple and easy but is
extremely effective.

Let’s look at an example. Let’s say an evil attacker performs a whois on
your domain name and pulls off the technical point of contact. The
technical point of contact is a required field for all registered domain
names. It provides contact information for the person who should be
notified if you have any technical questions with that domain. In this case,
her name is Sally. The attacker then calls information and asks for the
general number for your company. After the operator for the company
picks up, he asks to be connected to the help desk, at which point he
explains that he is a new contractor at the company working for Sally. The
company is having some problems with the network and he has been
brought on to help fix them. This is a high-priority problem and has
visibility up to the CEO. He explains that Sally told him that this is not the
normal procedure, but based on the circumstance and the urgency, you
can help him out. He also offers to give Sally’s number for approval.
In most cases, if the attacker has a convincing voice, he is given a user ID
and password and receives access to the system. It is that simple; if you